CVE-2026-10520

CRITICAL KEV NUCLEI

Ivanti Sentry - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Title source: rule
STIX 2.1

Exploitation Summary

CVE-2026-10520 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 11, 2026. EIP tracks 6 public exploits from researchers including error-inside, error.inside, 0xBlackash. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository claims to contain a PoC for CVE-2026-10520 but only provides a placeholder script that redirects users to an external GitLab link. No actual exploit code is included.

Description

An OS Command Injection vulnerability in Ivanti Sentry before the R10.5.2, R10.6.2 and R10.7.1 versions allows a remote unauthenticated user to achieve root-level remote code execution

Exploits (6)

github SUSPICIOUS
by error-inside · pythonpoc
https://github.com/error-inside/CVE-2026-10520

The repository claims to contain a PoC for CVE-2026-10520 but only provides a placeholder script that redirects users to an external GitLab link. No actual exploit code is included.

Classification
Suspicious 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Theoretical
Target: Ivanti Sentry (before R10.5.2, R10.6.2, R10.7.1)
No auth needed
Prerequisites: Network access to vulnerable Ivanti Sentry instance
devstral-2 · analyzed Jun 19, 2026 Full analysis →
gitlab WORKING POC
by error.inside · poc
https://gitlab.com/error.inside/CVE-2026-10520

This repository contains a functional exploit for CVE-2026-10520, an unauthenticated OS command injection vulnerability in Ivanti Sentry. The exploit sends crafted XML payloads to the MICS API endpoint to execute arbitrary commands as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Sentry (before R10.5.2, R10.6.2, R10.7.1)
No auth needed
Prerequisites: Network access to the target Ivanti Sentry instance on port 8443
devstral-2 · analyzed Jun 19, 2026 Full analysis →
github WORKING POC
by 0xBlackash · pythonremote
https://github.com/0xBlackash/CVE-2026-10520

The repository contains a functional Python exploit for CVE-2026-10520, targeting Ivanti Sentry. The exploit demonstrates pre-authentication remote code execution (RCE) by sending a crafted HTTP POST request to the '/mics/api/v2/sentry/mics-config/handleMessage' endpoint, allowing arbitrary command execution as root.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Ivanti Sentry (formerly MobileIron Sentry)
No auth needed
Prerequisites: Network access to the target Ivanti Sentry instance
devstral-2 · analyzed Jun 11, 2026 Full analysis →
github SCANNER
by HORKimhab · pythonremote
https://github.com/HORKimhab/CVE-2026-10520-10523

The repository contains two Python scripts designed to detect CVE-2026-10520, an Ivanti Sentry command execution vulnerability. The scripts send crafted POST requests to the vulnerable endpoint and analyze responses for vulnerability markers, but do not include exploit payloads for actual command execution.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Sentry
No auth needed
Prerequisites: network access to target Ivanti Sentry instance
devstral-2 · analyzed Jun 11, 2026 Full analysis →
github SCANNER
by ogenich · pythonremote
https://github.com/ogenich/CVE-2026-10520

This repository contains a Python-based scanner for detecting CVE-2026-10520, an OS command injection vulnerability in Ivanti Sentry. The tool sends crafted HTTP requests to the target endpoint and checks for specific response patterns to determine vulnerability status.

Classification
Scanner 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Sentry < R10.5.2, < R10.6.2, < R10.7.1
No auth needed
Prerequisites: list of target URLs
devstral-2 · analyzed Jun 10, 2026 Full analysis →
nomisec WORKING POC
by watchtowrlabs · remote
https://github.com/watchtowrlabs/watchTowr-vs-Ivanti-Sentry-RCE-CVE-2026-10520-CVE-2026-10523

This repository contains a functional Python script that exploits CVE-2026-10520 and CVE-2026-10523 in Ivanti Sentry, demonstrating authentication bypass and remote code execution via a crafted API request to the `/mics/api/v2/sentry/mics-config/handleMessage` endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Ivanti Sentry
No auth needed
Prerequisites: Network access to the target Ivanti Sentry instance · Python 3 environment
devstral-2 · analyzed Jun 10, 2026 Full analysis →

Nuclei Templates (1)

Ivanti Sentry - OS Command Injection
CRITICALVERIFIEDby DhiyaneshDk
Shodan: html:"Ivanti" html:"Sentry"

References (3)

Core 3

Scores

CVSS v3 10.0
EPSS 0.5952
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2026-06-11
VulnCheck KEV 2026-06-10
ENISA EUVD EUVD-2026-35440
CWE
CWE-78
Status published
Products (5)
ivanti/Sentry R10.5.2
ivanti/Sentry R10.6.2
ivanti/Sentry R10.7.1
ivanti/standalone_sentry 10.7.0
ivanti/standalone_sentry < 10.5.2
Published Jun 09, 2026
KEV Added Jun 11, 2026
Tracked Since Jun 09, 2026